Changes between Version 66 and Version 67 of doc/TorBOX/BareMetalHints


Ignore:
Timestamp:
Sep 27, 2012, 11:29:47 PM (6 years ago)
Author:
proper
Comment:

--

Legend:

Unmodified
Added
Removed
Modified
  • doc/TorBOX/BareMetalHints

    v66 v67  
    1 [[TOC(noheading, depth=0)]]
     1TorBOX has been renamed to Whonix.
    22
    3 [https://trac.torproject.org/projects/tor/wiki/doc/TorBOX aos Homepage]
     3This page has been moved. The History of this page might still be interesting.
    44
    5 '''WARNING''': Instructions for aos 0.3.0 with Physical Isolation are still under development. Advanced Linux users can already understand them.
    6 
    7 '''WARNING''': [https://trac.torproject.org/projects/tor/wiki/doc/TorBOX/SecurityAndHardening#BuildAnonymity Build Anonymity] has not been considered for this article.
    8 
    9 '''WARNING''': This article currently lacks information about aos-Gateway's and aos-Workstation's MAC address. See also
    10  * [https://trac.torproject.org/projects/tor/wiki/doc/TorBOX/SecurityAndHardening#aossProtocol-Leak-ProtectionandFingerprinting-Protection aos's Protocol-Leak-Protection and Fingerprinting-Protection]
    11  * [https://trac.torproject.org/projects/tor/wiki/doc/TorBOX/SecurityAndHardening#aosinpublicnetworksMACAddress aos in public networks / MAC Address]
    12  * [https://trac.torproject.org/projects/tor/wiki/doc/TorBOX/Dev#SECURITYMACaddressinpublicnetworksOPEN Mac address in public networks].
    13 
    14 '''NOTE''': The terminology "Bare Metal aos" is no longer accurate. We do not refer to running a software on virtualizers vs physical systems. What this setup is actually about, is installing aos-Gateway and aos-Workstation on a single physical system vs installing on two different physical systems and using virtualization, i.e. Physical Isolation.
    15 
    16 = Introduction =
    17 When setting up aos in the form of two VMs running on the same host, exploits targeting the VM implementation or the host can still break out of the torified Client VM and expose the IP of a user. Malware running on the host has full control over all VMs. To prevent against such attacks we need a different approach: In this context we called it "bare metal" because the gateway system is installed on separate hardware ("metal"). This drastically reduces the [https://en.wikipedia.org/wiki/Trusted_computing_base TCB] by more than the half.
    18 
    19 In total we'll be installing and configuring two computers and set up an isolated point to point network between them (you could also set up a an ordinary, completely isolated, LAN behind the aos-Gateway but read this [https://trac.torproject.org/projects/tor/wiki/doc/TorBOX/SecurityAndHardening#Recommendationtousemultipleaos-Workstations NOTE]). One computer acts as the client or "aos-Workstation", the other as a proxy or "aos-Gateway" which will transparently route all of the aos-Workstation's traffic through Tor.
    20 
    21 The aos-Gateway on its own physical device can be running either directly on "bare metal" or inside a virtual machine. Both options have advantages and disadvantages. We recommend to use no additional Virtual Machine for the aos-Gateway.
    22 
    23 The aos-Workstation should always be installed in a Virtual Machine: A VM hides hardware serial numbers. See also [https://trac.torproject.org/projects/tor/wiki/doc/TorBOX/SecurityAndHardening#RecommendationtousemultipleVMSnapshots Recommendation to use multiple VM Snapshots].,, [[BR]]
    24 
    25 == Using spare hardware + Virtual Machine ==
    26 Advantages:
    27  * You can install a graphical host.
    28  * Use the aos download version.
    29  * You can use the graphical network manager on the host, for example to connect to WiFi.
    30  * You can setup easily a VPN on the host. Tor will be tunneled through the VPN.
    31 Disadvantages:
    32  * Higher attack surface, because the Virtual Machine code get's involved.
    33 
    34 == Using spare hardware without Virtual Machine ==
    35 Advantages:
    36  * More secure, because less code is involved.
    37 Disadvantages:
    38  * Slightly more complicated setup
    39  * More difficult to set up VPN
    40  * More difficult to set up 3G networking compared to using a Windows host
    41 
    42 = Prerequisites =
    43  * aos-Gateway: A device with at least two network adapters, at least one of them ethernet^1^, capable of running Linux. It will run Ubuntu Server.^2^
    44    
    45  ,, ^1^ The other one may be either an [https://trac.torproject.org/projects/tor/wiki/doc/TorBOX/BareMetalHints#anonymous3Gmodem anonymous 3G modem]; [https://trac.torproject.org/projects/tor/wiki/doc/TorBOX/BareMetalHints#anonymouswifiadapter anonymous wifi adapter], another ethernet or wifi connected to your modem/router.,, [[BR]]
    46  ,, ^2^ Theoretically you could use any OS that supports iptables or pf. If you don't want to use Ubuntu Oneiric you will have to edit the shell script. This will be easy for Debian derivatives but much more difficult for *BSD for example. In any case, the choice of OS shouldn't really matter because this system isn't used for anything but running Tor. A cheap plug computer, something like Raspberry Pi or the hardware used by Torouter would be sufficient.,,
    47  
    48  * aos-Workstation: A device connected via ethernet to the aos-Gateway. It must only have this one NIC and no other network connectivity! Must be connected by wire.^3^ This will be the torified client system or aos-Workstation. It must be capable of running Ubuntu Server.^4^ [[BR]]
    49    We recommend to use a VM as the client, the same aos-Workstation, that most non Physical Isolation users use. ^7^
    50 
    51  ,, ^3^ If you don't connect by wire, you significantly weaken isolation and security. One the aos-Workstation were infected, it could jump onto another network and start leaking.,, [[BR]]
    52  ,, ^4^ Any OS can be used. But this is not recommended! If you do anyway, read warning, especially for Windows: [https://trac.torproject.org/projects/tor/wiki/doc/TransparentProxyLeaks Transparent Proxy Leaks].,, [[BR]]
    53  ,, ^5^ A generic VM image can neither leak identifying hardware serial numbers nor unique software fingerprints. (e.g. trough [https://trac.torproject.org/projects/tor/wiki/doc/TorifyHOWTO#Softwareupdaters software updates]).,, [[BR]]
    54  ,, ^6^ This ensures that you get the latest security features and most secure configurations. (Such as stream isolation that protects against [https://trac.torproject.org/projects/tor/wiki/doc/TorBOX/ApplicationWarningsAndNotes#Identitycorrelationthroughcircuitsharing Identity correlation through circuit sharing], [https://trac.torproject.org/projects/tor/wiki/doc/TorBOX/XChat IRC hardening] or [https://trac.torproject.org/projects/tor/wiki/doc/TorBOX/SecurityAndHardening#aossProtocol-Leak-ProtectionandFingerprinting-Protection aos's Protocol-Leak-Protection and Fingerprinting-Protection].).,, [[BR]]
    55  ,, ^7^ From the download page or build yourself from source.
    56 
    57 = Time syncing =
    58 Please read and apply [https://trac.torproject.org/projects/tor/wiki/doc/TorBOX/Readme#NetworkTimeSyncing "Network Time Syncing"] on both computers. This is a required step on the client computer because ntp doesn't work at all behind tor (it uses UDP) and if it did, it couldn't be trusted! It's also removed on both aos-Workstation and aos-Gateway by the the shell scripts.
    59 
    60 = Installation =
    61 General advice from [https://trac.torproject.org/projects/tor/wiki/doc/TorBOX/Dev/BuildDocumentation#BuildSecurity Build Security and Host preparation] apply
    62 
    63 == How To Install aos-Gateway on bare metal [RECOMMENDED] ==
    64 These instructions were never updated for aos 0.2.1. Version 0.3.0 is currently in development. ^1^ [[BR]]
    65  ,, ^1^ The aos source code should be much more easy to understand, because there are no longer two immensely huge scripts, but all configuration files within their own files.
    66 
    67 1. Install Ubuntu Server 12.04 and chose following settings: ^a^
    68 {{{
    69 In the boot menu press F4 and select "Install a minimal system"
    70 Language English
    71 United States
    72 keyboard layout English (US) (don't autodetect)
    73 Primary network interface: eth0 (depends on hardware layout?)
    74 Hostname: ubuntu
    75 Full name for the new user: user
    76 Username for your account: user
    77 Choose a password for the new user: <Set up a strong password>
    78 encrypt home directory: No
    79 Timezone:UTC
    80 Partitioning: It's a good idea to set up cryptsetup based FDE at this point.
    81 No proxy
    82 No automatic updates
    83 tasksel (Choose software to install): select nothing
    84 }}}
    85  ,, ^a^ Alternatively if you want to use a unattended iso (preseed) or want to as closest to the settings used for the Virtual Box based aos-Gateway, you could use 'sudo ./aos_getiso -download' followed by 'sudo ./aos_modifyiso -create' beforehand and use the created iso for installation.
    86 
    87 2. The external interface (usually eth0) may need to be configured according to the requirements of your local network, e.g. static or simply left to use dhcp if the gateway is connected to a dhcp capable router. For wlan follow the upstream documentations: [http://wiki.debian.org/WiFi debian wiki], [https://help.ubuntu.com/community/WifiDocs/WiFiHowTo Ubuntu help].
    88 
    89 3. Make sure the internet is working.
    90 
    91 4. Install all security updates and reboot.
    92 
    93 5. Before running the aos_createvm ^2^ script make sure eth1 and eth0 refer to the correct interfaces. 'dmesg | grep eth' may be helpful. Otherwise you have to change the variables in the configuration files. To find the affected files 'grep -r eth0 *' and 'grep -r eth1 *' may be helpful. ^3^
    94  ,, ^2^ Do not get concerned about the "vm" within aos_createvm. The name is historically and the functionalty for building an aos-Gateway featuring Physical Isolation has been added later. [[BR]]
    95  ,, ^3^ Should be really only a very few files. We used variables for eth0 and eth1 wherever possible. [[BR]]
    96 
    97 6. On your aos-Gateway: It is assumed you created user account named "user".
    98 {{{
    99 su user
    100 cd ~
    101 }}}
    102 
    103 7. Get latest source code. When 0.3.0 gets released there will be a signed release tag, if you wish a signed release tag of a snapshot in meanwhile please get in contact.
    104 {{{
    105 git clone https://github.com/adrelanos/aos.git
    106 }}}
    107 
    108 8. Get into aos source folder.
    109 {{{
    110 cd aos
    111 }}}
    112 
    113 9. Most configuration files work well inside Virtual Machines and on Bare Metal. Only minor things such as deactivating powersaving, passwordless reboot, shutdown etc. are only recommend for Virtual Machines. You can easily comment them out by putting a hash # in front of them. They are marked, to find them, grep can be used.
    114 {{{
    115 grep -r VMONLY *
    116 }}}
    117 
    118 10. Copy the pre files on aos-Gateway from the aos source folder to their correct place.
    119 {{{
    120 sudo ./aos_createvm -tg-bare-metal-pre
    121 }}}
    122 
    123 11. Reboot.
    124 {{{
    125 sudo reboot
    126 }}}
    127 
    128 12. aos_internal_install_script will be automatically started, wait until it finishes. If all goes well, system will power off automatically.
    129 
    130 13. Power on again. Copy the post files on aos-Gateway from the aos source folder to their correct place.
    131 {{{
    132 sudo ./aos_createvm -tg-bare-metal-post
    133 }}}
    134 
    135 14. Reboot.
    136 {{{
    137 sudo reboot
    138 }}}
    139 
    140 15. Done.
    141 
    142 == How To Install aos-Gateway in a VM [UNTESTED / NOT RECOMMEND] ==
    143 It is advised to install a new OS just for hosting the Gateway VM, any OS that can run VirtualBox works but we recommend an Open Source system.
    144 
    145 [https://trac.torproject.org/projects/tor/wiki/doc/TorBOX/Download Download] or [https://trac.torproject.org/projects/tor/wiki/doc/TorBOX/Dev/BuildDocumentation#Createaos-Gateway.ova build] the aos-Gateway image.
    146 
    147 Adapter 1 can be set up as a NAT network. Adapter 2 must either be set to NAT as well (but you will need to forward ports from the host to the guest) or much simpler: use bridged networking and set it to the second physical interface (the one that goes into the isolated network/point to point ethernet). See "NAT vs Bridging" below.
    148 
    149 This configuration is entirely untested and not recommended unless you need to run Tor through a VPN (can't that be done without VMs?) or an unsupported 3G modem and can't afford a 3rd physical device.
    150 
    151 == Install aos-Workstation ==
    152 ''' If the physical network (between aos-Gateway and a router) uses 192.168.0.* you need to review and edit all shell scripts you are going to use and switch the internal network to something else!
    153 
    154 Install and update a host OS. The host can be any OS that can run VirtualBox but be aware of [https://trac.torproject.org/projects/tor/wiki/doc/TransparentProxyLeaks Transparent Proxy Leaks]. It is not recommended to use Windows or another other commercial proprietary system.
    155 
    156 [https://trac.torproject.org/projects/tor/wiki/doc/TorBOX/Download Download] or [https://trac.torproject.org/projects/tor/wiki/doc/TorBOX/Dev/BuildDocumentation#Createaos-Workstation.ova build] the aos-Workstation image.
    157 
    158  * Instead of setting Adapter 1 (eth0) to internal, you'll need to use bridged or NAT networking!
    159 
    160 = NAT vs Bridging =
    161 Since aos-Workstation can see the MAC address of whatever adapter it is connected to, if you use bridget networking you should change the MAC address of the internal interface on the Gateway:
    162 https://trac.torproject.org/projects/tor/wiki/doc/TorBOX/SecurityAndHardening#aosinpublicnetworksMACAddress
    163 
    164 If you use NAT you will have to edit the aos-Workstation so it uses dhcp or static IP for VBox NAT. The host has to be set to use the static IP configuration as configured in the aos-Workstation script. When using NAT for a virtualized Gateway you need to set up port forwarding in VirtualBox.
    165 
    166 If you use bridget networking things will (or should, we haven't tested anything yet) just work, the host will have to be configured to use a static IP as well.
    167 
    168 = Further hints and recommendations =
    169 We recommend that you use two dedicated computers for aos that are never used for activities that could lead back to your identity. Alternatively you can use an already existing and otherwise used computer for the aos-Gateway. To offer some isolation you should disconnect all internal and external drives and boot from a eSATA, USB or another internal drive into a clean environment.
    170 
    171 === non-anonymous use ===
    172  * non-anonymous box (leave it as is is, like you want)
    173  * non-anonymous home dial up internet router (leave it as is is, like you want)
    174 
    175 === anonymous use ===
    176  * aos-Gateway
    177    * This really does not have to be a big desktop computer or ordinary server. There are alternatives.
    178    * smartphone ^1^, [https://en.wikipedia.org/wiki/Ultra-mobile_PC UMPC], pad, tablet, notebook, netbook, [https://en.wikipedia.org/wiki/Raspberry_Pi Raspberry Pi], router ^2^, set top box, etc.
    179    * how to utilize such a device as a linux server is beyond the scope of this guide, there are already better resources
    180  * anonymous 3G modem (see below) or anonymous wifi adapter (see below)
    181  * aos-Workstation
    182    * You get the idea. Use a device which suits you.^1^
    183 
    184 ,, ^1^ Just some hints to get started. It is difficult and beyond the scope of aos, because you don't have an ethernet interface. Some (after market) firmwares support USB-host. (You can plug USB devices into your phone, such as an USB ethernet card. For example some rooted android smartphones can [http://android.galoula.com/en/LinuxInstall/ install] Ubuntu Linux.,, [[BR]]
    185 ,, ^2^ something like OpenWRT,, [[BR]]
    186 
    187 === anonymous 3G modem ===
    188 Normally your dial up or broadband provider knows your name, postal address and non-anonymous payment method. This is bad. Suppose Tor or aos are compromised. An adversary just has to pressure your provider and can very easily find our your identity. This is not the case here.
    189  * plugged or integrated into aos-Gateway
    190  * Buy the 3G modem anonymously [in a store, second hand, on street, no personal data].
    191    * Be sure to have never used it for non-anonymous use before.
    192      * This is because, in many countries the telecommunication company log the phone serial number (IMEI), the SIM serial number and the phone number for each network login.
    193  * Also be sure to buy the SIM-card anonymously.
    194    * Prepaid is better.
    195    * Buy cash codes in different stores anonymously.
    196    * Be sure, to never have used this anonymous SIM-card with a non-anonymous phone or 3G model.
    197      * This is because, in many countries the telecommunication company log the phone serial number (IMEI), the SIM serial number and the phone number for each network login.
    198  * Optionally use from distant random spots only. (security vs. comfort)
    199    * Check of cameras and witnesses.
    200  * 3G users often get only a shared IP. Due to scarcity of IPv4 IP's, thousands of users share the same external IP (IPv4). Some providers do not log yet users (NAT) ports. Consequently they can not identify them, when they are given an IP and timestamp. Nice to have, but don't rely on it! (Some providers assign additional IPv6 IP's to their users, which are unique. Tor does not use IPv6 yet.)
    201 
    202 === anonymous wifi adapter ===
    203 Normally your dial up or broadband provider knows your name, postal address and non-anonymous payment method. This is bad. Suppose Tor or aos are compromised. An adversary just has to pressure your provider and can very easily find our your identity. This is not the case here.
    204  * Plugged or integrated into aos-Gateway.
    205  * Buy the wifi adapter anonymously [in a store, second hand, on street, no personal data].
    206    * Be sure to have never used it for non-anonymous use before.
    207      * This is because a few providers or hotspot providers log the mac address and the username (for paid hotspots) for each dial up.
    208  * Use only free hotspots or pay them anonymously (if that's possible, otherwise abstain from paid hotspots).
    209  * Optionally use from distant random spots only. (security vs. comfort)
    210    * Check of cameras and witnesses.
    211 
    212 = Further required reading =
    213 [https://trac.torproject.org/projects/tor/wiki/doc/TorBOX/Readme Readme]. The [https://trac.torproject.org/projects/tor/wiki/doc/TorBOX/Readme#Onthehost Host] section applies to both computers!
     5https://sourceforge.net/p/whonix/wiki/PhysicalIsolation/